facebook error 'Error validating verification code'

There are presently (as of March 2011) undocumented requirements regarding what makes a valid redirect_uri.

First, both redirect_uri paramaters to authorize and access_token must match.

Apparently Facebook (or rather OAuth2) is using the redirect_uri as a internal key to encode the code returned for the access_token request. It's kinda clever since it verifies back to your site. It explains why the access_token request which wouldn't otherwise need a redirect_uri parameter requires one.

Second, you cannot use many special characters in the redirect_uri.

A lot of discussion rages whether parameters can be passed at all. They can, you're limited which characters are valid but no one has published a list that I know. Traditional methods like url/html encoding will fail because percent(%) is not valid. Slash (/) is not valid either so a nested redirection url will always fail. The ONLY way to overcome the special char limitation is to encode the value of the parameter to base64. If you're using ASP.NET, look up Convert.ToBase64.

Lastly, and this is more of a side-note. There are a lot of programmers passing along misinformation that a simple solution is to pass type=client_cred. This may limit your access to some of the permissions you requested in your authorization. It is inadvisable.


Had the same problem all day when testing with redirect_uri=http://localhost:8000 (encoded to http%3A%2F%2Flocalhost%3A8000)...

Solution was simply to make sure to put the trailing slash / on the end of the uri. So redirect_uri=http://localhost:8000/ (encoded to http%3A%2F%2Flocalhost%3A8000%2F).

Again, make sure the redirect_uri is identical for both requests.


I have had this problem. I knew for a fact that my URLs were the same because I used a class with the same $var, but I kept getting the 400 response and that error in the JSON response.

The only thing I did was change my redirect_uri from:

http://myredirecturi.com

to

http://myredirecturi.com/

Yeh, just added the trailing slash and it worked.


You don't really need to encode, just put the '/' at the end of your redirect_url and everything should be fine!


Part of the information given by Aaron Wheeler is incorrect.

It is true that the 'redirect_uri' parameter must be identical in both requests, however it is perfectly possible to URL encode a regular URL and use that as the value for the 'redirect_url' parameter, so long as you're careful to further URL encode any inline URLs.

For instance, you wish facebook to redirect to the following URL:

http://www.mysite.com/Users/oAuthComplete?my_param_1=/Party/pants

Attempting to redirect the user to

'https://www.facebook.com/dialog/oauth?client_id=12345&redirect_uri='
. urlencode('http://www.mysite.com/Users/oAuthComplete?my_param_1=/Party/pants');

Will fail as /Party/Pants creates an invalid URL

However, redirecting to

'https://www.facebook.com/dialog/oauth?client_id=12345&redirect_uri='
.urlencode('http://www.mysite.com/Users/oAuthComplete?my_param_1='
.urlencode('/Party/pants'));

Will work as expected.

If you are using the returned the redrect_uri value in the second, authenticate application request, be sure to url encode again - the value is automatically URL decoded when populating the $_GET superglobal. - This is what tripped me up.

'https://graph.facebook.com/oauth/access_token?client_id=12345&&client_secret=SECRET&code=1234567'
.urlencode('http://www.mysite.com/Users/oAuthComplete?my_param_1='
.urlencode($_GET['my_param_1']));

P.s. In your actual code, I'd recommend using sprintf() rather than chaining string together like in my example, for better readability.